Elements and Performance Criteria
- Establish the organisational context
- Legislative and regulatory requirements for the organisation are identified and documented in accordance with organisational policy and procedures.
- Legislation is analysed for any security implications for information management, and the outcomes are documented.
- The organisation's purpose and function are reviewed for compliance requirements.
- The broad social context in which the organisation operates is analysed to determine community expectations.
- Determine the principal areas of risk requiring information strategy
- Existing risk analyses for organisation's functions are reviewed and updated.
- Regulatory requirements and legal liabilities are reviewed and documented for their impact on the information systems framework.
- Risks and liabilities to be managed by information systems are determined and documented informing the development of the framework.
- Determine the information system requirements for each business function
- Risks, liabilities and regulatory requirements are determined and analysed against each business function.
- The determined requirements for each business function are documented and communicated as evidence to be captured as records.
- Information system specifications are formulated from the evidence requirements in accordance with the organisation's technologies, standards and protocols.
- Information security requirements are determined for each business function.
- Specifications for information systems security measures are determined consistent with government guidelines and standards.
- Establish information systems framework for organisation
- Overview of responsibilities for information management within the organisation is developed and communicated.
- Responsibilities and authorities in relation to regulatory requirements are defined in accordance with jurisdictional and organisational standards.
- Information management responsibilities and rights for each business function are defined.
- Identified risks and liabilities managed by information systems are integrated with the definition of responsibilities for each function.
- Levels of accountability and responsibility within the framework are defined, assigned and documented for each function.
- Security procedures for information systems are formulated and documented.
- Obtain approval for framework
- The completed and documented framework of areas of risk, regulatory requirements, records specifications, security requirements and information management responsibilities are communicated to the appropriate person(s) for review and endorsement.
- A review process is established and appropriate persons are charged with maintaining the currency of the organisation's information systems framework.